[PATCH - untested] bluetooth: Don't check for SMP security too early

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH - untested] bluetooth: Don't check for SMP security too early
@ 2015-09-04  8:56 Chuck Ebbert
  2015-09-04  9:30 ` Johan Hedberg
  0 siblings, 1 reply; 2+ messages in thread
From: Chuck Ebbert @ 2015-09-04  8:56 UTC (permalink / raw)
  To: Oon-Ee Ng; +Cc: linux-bluetooth

Commit 25ba26539 ("Bluetooth: Fix NULL pointer dereference in
smp_conn_security") added a check for NULL SMP, but it was checked
too early. It is possible for this function to return success even
when that is NULL. Move the check down to just before the variable
gets used.

Fixes: 25ba26539 ("Bluetooth: Fix NULL pointer dereference in smp_conn_security")

---

NOTE: UNTESTED, no signoff

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index ad82324..0510a57 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2311,12 +2311,6 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 	if (!conn)
 		return 1;
 
-	chan = conn->smp;
-	if (!chan) {
-		BT_ERR("SMP security requested but not available");
-		return 1;
-	}
-
 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
 		return 1;
 
@@ -2330,6 +2324,12 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
 			return 0;
 
+	chan = conn->smp;
+	if (!chan) {
+		BT_ERR("SMP security requested but not available");
+		return 1;
+	}
+
 	l2cap_chan_lock(chan);
 
 	/* If SMP is already in progress ignore this request */

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH - untested] bluetooth: Don't check for SMP security too early
  2015-09-04  8:56 [PATCH - untested] bluetooth: Don't check for SMP security too early Chuck Ebbert
@ 2015-09-04  9:30 ` Johan Hedberg
  0 siblings, 0 replies; 2+ messages in thread
From: Johan Hedberg @ 2015-09-04  9:30 UTC (permalink / raw)
  To: Chuck Ebbert; +Cc: Oon-Ee Ng, linux-bluetooth

Hi,

On Fri, Sep 04, 2015, Chuck Ebbert wrote:
> Commit 25ba26539 ("Bluetooth: Fix NULL pointer dereference in
> smp_conn_security") added a check for NULL SMP, but it was checked
> too early. It is possible for this function to return success even
> when that is NULL. Move the check down to just before the variable
> gets used.
> 
> Fixes: 25ba26539 ("Bluetooth: Fix NULL pointer dereference in smp_conn_security")
> 
> ---
> 
> NOTE: UNTESTED, no signoff

Looks like the exact same fix I just sent myself :) If the fix works
(which I think it should) you should of course get the credits since
your patch made it to the list a bit before mine. You might want to
check the commit message and my other email for a bit deeper analysis of
the issue.

Johan

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-09-04  9:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-04  8:56 [PATCH - untested] bluetooth: Don't check for SMP security too early Chuck Ebbert
2015-09-04  9:30 ` Johan Hedberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).